华为VPN技术

LKAI.2024-11-20 23:08

1. 启动设备

2. 配置IP地址

FW1int g1/0/0

FW1-GigabitEthernet1/0/0ip add 192.168.1.254 24

FW1-GigabitEthernet1/0/0int g1/0/1

FW1-GigabitEthernet1/0/1ip add 100.1.1.1 24

FW1-GigabitEthernet1/0/1service-manage ping permit

FW2int g1/0/0

FW2-GigabitEthernet1/0/0ip add 192.168.2.254 24

FW2-GigabitEthernet1/0/0int g1/0/1

FW2-GigabitEthernet1/0/1ip add 200.1.1.2 24

FW2-GigabitEthernet1/0/1service-manage ping permit

AR1int g0/0/0

AR1-GigabitEthernet0/0/0ip add 100.1.1.2 24

AR1-GigabitEthernet0/0/0int g0/0/1

AR1-GigabitEthernet0/0/1ip add 200.1.1.1 24

3. 配置Tunnel接口

FW1int Tunnel 0

FW1-Tunnel0ip add 172.16.1.1 24

FW1-Tunnel0tunnel-protocol gre

FW1-Tunnel0source 100.1.1.1

FW1-Tunnel0destination 200.1.1.2

FW2int Tunnel 0

FW2-Tunnel0ip add 172.16.1.2 24

FW2-Tunnel0tunnel-protocol gre

FW2-Tunnel0source 200.1.1.2

FW2-Tunnel0destination 100.1.1.1

4. 将防火墙接口加入指定区域

FW1firewall zone trust

FW1-zone-trustadd int g1/0/0

FW1-zone-trustq

FW1firewall zone untrust

FW1-zone-untrustadd int g1/0/1

FW1-zone-untrustadd int Tunnel 0

FW2firewall zone trust

FW2-zone-trustadd int g1/0/0

FW2-zone-trustq

FW2firewall zone untrust

FW2-zone-untrustadd int g1/0/1

FW2-zone-untrustadd int Tunnel 0

5. 配置OSPF

FW1ospf 1

FW1-ospf-1area 0

FW1-ospf-1-area-0.0.0.0network 100.1.1.0 0.0.0.255

AR1ospf 1

AR1-ospf-1area 0

AR1-ospf-1-area-0.0.0.0network 100.1.1.0 0.0.0.255

AR1-ospf-1-area-0.0.0.0network 200.1.1.0 0.0.0.255

FW2ospf 1

FW2-ospf-1area 0

FW2-ospf-1-area-0.0.0.0network 200.1.1.0 0.0.0.255

6. 配置路由条目

FW1ip route-static 192.168.2.0 24 Tunnel 0

FW2ip route-static 192.168.1.0 24 Tunnel 0

7. 配置防火墙策略

FW1security-policy

FW1-policy-securityrule name local-untrust

FW1-policy-security-rule-local-untrustsource-zone local

FW1-policy-security-rule-local-untrustdestination-zone untrust

FW1-policy-security-rule-local-untrustsource-address 100.1.1.0 0.0.0.255

FW1-policy-security-rule-local-untrustdestination-address 200.1.1.0 0.0.0.255

FW1-policy-security-rule-local-untrustaction permit

FW1-policy-security-rule-local-untrustq

FW1-policy-securityrule name untrust-local

FW1-policy-security-rule-untrust-localsource-zone untrust

FW1-policy-security-rule-untrust-localdestination-zone local

FW1-policy-security-rule-untrust-localsource-address 200.1.1.0 0.0.0.255

FW1-policy-security-rule-untrust-localdestination-address 100.1.1.0 0.0.0.255

FW1-policy-security-rule-untrust-localaction permit

FW1-policy-security-rule-untrust-localq

FW1-policy-securityrule name trust-untrust

FW1-policy-security-rule-trust-untrustsource-zone trust

FW1-policy-security-rule-trust-untrustdestination-zone untrust

FW1-policy-security-rule-trust-untrustsource-address 192.168.1.0 0.0.0.255

FW1-policy-security-rule-trust-untrustaction permit

FW1-policy-security-rule-trust-untrustq

FW1-policy-securityrule name untrust-trust

FW1-policy-security-rule-untrust-trustsource-zone untrust

FW1-policy-security-rule-untrust-trustdestination-zone trust

FW1-policy-security-rule-untrust-trustaction permit

FW2security-policy

FW2-policy-securityrule name untrust-local

FW2-policy-security-rule-untrust-localsource-zone untrust

FW2-policy-security-rule-untrust-localdestination-zone local

FW2-policy-security-rule-untrust-localaction permit

FW2-policy-security-rule-untrust-localq

FW2-policy-securityrule name local-untrust

FW2-policy-security-rule-local-untrustsource-zone local

FW2-policy-security-rule-local-untrustdestination-zone untrust

FW2-policy-security-rule-local-untrustaction permit

FW2-policy-security-rule-local-untrustq

FW2-policy-securityrule name trust-untrust

FW2-policy-security-rule-trust-untrustsource-zone trust

FW2-policy-security-rule-trust-untrustdestination-zone untrust

FW2-policy-security-rule-trust-untrustsource-address 192.168.2.0 0.0.0.255

FW2-policy-security-rule-trust-untrustaction permit

FW2-policy-security-rule-trust-untrustq

FW2-policy-securityrule name untrust-trust

FW2-policy-security-rule-untrust-trustsource-zone untrust

FW2-policy-security-rule-untrust-trustdestination-zone trust

FW2-policy-security-rule-untrust-trustsource-address 192.168.1.0 0.0.0.255

FW2-policy-security-rule-untrust-trustaction permit

8. 配置NAT策略

FW1nat-policy

FW1-policy-natrule name trust-untrust

FW1-policy-nat-rule-trust-untrustsource-zone trust

FW1-policy-nat-rule-trust-untrustdestination-zone untrust

FW1-policy-nat-rule-trust-untrustsource-address 192.168.1.0 0.0.0.255

FW1-policy-nat-rule-trust-untrustaction source-nat easy-ip

FW2nat-policy

FW2-policy-natrule name trust-untrust

FW2-policy-nat-rule-trust-untrustsource-zone trust

FW2-policy-nat-rule-trust-untrustdestination-zone untrust

FW2-policy-nat-rule-trust-untrustsource-address 192.168.2.0 0.0.0.255

FW2-policy-nat-rule-trust-untrustaction source-nat easy-ip

验证:

1.pc2ping 通pc1

2. 查看FW2防火墙会话表(看GRE协议的数据包走向)

3. 查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)

4. 抓FW2G1/0/1端口的包查看(GRE的端口是47)

相关推荐
用户03284722207014 小时前
如何搭建本地yum源(上)
运维
Aphasia3112 天前
VPN 与内网穿透
安全
Mr_愚人派3 天前
当"Claude"不再是 Claude:一次第三方 API 代理引发的 AI 身份伪造排查实录
人工智能·安全
大树884 天前
金刚石散热越强,管路越先见顶
大数据·运维·服务器·人工智能·ai
摇滚侠4 天前
Linux CentOS7 rpm 安装 MySQL 5.7
linux·运维·mysql
程序猿追4 天前
那个右下角的小数字怎么“卡”住我打字——我用 HarmonyOS 自己写了一个字数限制输入框
pytorch·华为·harmonyos
古德new4 天前
鸿蒙PC使用electron迁移:Joplin Electron 桌面适配全记录
华为·electron·harmonyos
世人万千丶4 天前
桌面便签小应用 - HarmonyOS ArkUI 开发实战-TextArea与Flex布局-PC版本
华为·harmonyos·鸿蒙·鸿蒙系统
霸道流氓气质4 天前
领域驱动设计(DDD)在 Spring Boot 微服务中的实践指南
运维·spring boot·微服务
慧海灵舟4 天前
AGenUI 鸿蒙端实战踩坑录:从 Column 布局消失到异步组件宽度为 0
华为·harmonyos
热门推荐
012026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?022026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?03【AI】2026 年具身智能模型和世界模型总结042026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf05GitHub 镜像站点06AI科技热点日报 | 2026年6月1日07AI一周事件 · 2026-06-03 至 2026-06-0908上线仅72小时被强制下架:Claude Fable 5 的短命09Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析102026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?